Cybersecurity professionals looking to welcome more diverse talent into their workforce should consider evolving old-fashioned job listings and interview questions, emphasizing business skills and personal qualities over technical skills and certifications, according to a panel of experts.
Edna Conway, vice president and general manager of global security, risk and compliance with Azure at Microsoft, said that organizations can suffer from closed-mindedness when recruiting, preferring individuals who possess a very specific expertise or a certification such as CISSP. But in certain cases, hiring managers may want to do away with such prerequisites.
“What if you said, ‘I'm looking for somebody who understands how to be inquisitive, somebody who understands how to communicate?’" said Conway, who participated on the panel during Wednesday at the RiskSec 2020 Digital conference. Put that person in a room with someone that has a technical background – say, a deep quantum expert – “and watch what happens. It's amazing.” They are able to work together and communicate, she continued.
Register for RiskSec 2020 Digital to watch all of the sessions on demand
Conway said that at a previous company she actually twice hired drivers whom she met via ride-sharing apps, after observing certain traits or know-how that she felt would benefit her organization. “And they were from other nations, and they were new in the United States,” said Conway. “But guess what: there's this unbelievable set of knowledge sitting behind that wheel you would never have access to.”
This kind of open-mindedness can go a long way, Conway said, because even though some people may not have a technical background in cyber, they have other skills that can prove useful.
Fellow panelist Camille Stewart, head of security policy at Google Play and Android Google, agreed, noting that when job descriptions seek out highly specific parameters, viable candidates don’t apply because they figure they have no real chance.
“We need to get to a point where we are articulating the skills and abilities that we need, not giving people a reason to self-select out… particularly disenfranchised groups,” said Stewart.
Stewart therefore recommended “opening up the aperture" on the job description, while requiring hiring managers to actually articulate to recruiters the skillset needed, versus what could be taught on the job.
This way, prospective employees know they have the necessarily skills to apply, and can be trained up on certain systems and technology later.
“Do I really need a robust knowledge of all of these systems to actually be effective with this job?” said Stewart, putting herself in the shoes of an employee. “Or is my job… to be a translator between stakeholder communities? Or is my job going to be to be creative and to really think about how we're interfacing with different communities or how we are implementing this technical capability in a new environment?
A recruiter can have a conversation with those interested in the role or folks they identify, and get to the heart of their ability to do the job, and the employer's ability ability to bridge the gap on the rest.
This led to another key recommendation: teach job recruiters how to properly interview for these cyber positions.
"In all honesty, it is a skill, and it is not everybody’s skill,” said Conway.
Some jobs require deep technical skills and thus require a more technical interview. But for other roles, the line of questioning might be designed more to get a better sense of the individual.
Stewart noted how the Department of Homeland Security in 2016 began holding career fairs where attendees could interview for a job and potentially receive an offer on the spot. “I believe they [made] close to 100 offers that first time and then continued to build upon that in subsequent years,” said Stewart. “And that also broke away from the [traditional] job description – being able to come in, talk to somebody, tell them about you, your skill set, your ability, your connection to cybersecurity; they were able to find a place based on what they knew the needs were within the department.”
One other area where panelists said organizations could get out of their traditional comfort zones is networking. Security professionals need not rely solely on Ivy League educational programs or their own personal “Rolodex” to source new talent. There are other sources.
Panelist Jerry Davis, former CIO at the NASA Ames Research Center, said employers have a tendency to seek out their own “tribe,” looking for people with similar backgrounds as their own. But in doing so, they are not opening up their organizations to people with different life experience and voices.
Additionally, there is talent in underserved communities waiting to be discovered, he said. When Davis was at NASA, instead of recruiting from only places like Stanford, MIT and Princeton, the agency “made a very concerted effort to go to [historically black colleges and universities], going to rural areas, places that NASA would [historically] never go to.”
Within these communities, NASA even began reaching out to K-12 students as a way to attract younger generations. In doing so, the agency “broke through some barriers and really made the place more diversified and inclusive.”
During the same panel discussion, Davis, Stewart and Conway also discussed the advantages and drawbacks of using diversity metrics in your organization.